Firewalls for securing customer data in a multi-tenant environment

ABSTRACT

Network security is enhanced in a multi-tenant database network environment using a query plan detection module to continually poll the database system to locate and raise an alert for suspect query plans. Security also can be enhanced using a firewall system sitting between the application servers and the client systems that records user and organization information for each client request received, compares this with information included in a response from an application server, and verifies that the response is being sent to the appropriate user. Security also can be enhanced using a client-side firewall system with logic executing on the client system that verifies whether a response from an application server is being sent to the appropriate user system by comparing user and organization id information stored at the client with similar information in the response.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a divisional of U.S. non-provisional applicationSer. No. 11/585,527, filed Oct. 23, 2006, entitled “SYSTEMS AND METHODSFOR SECURING CUSTOMER DATA IN A MULTI-TENANT ENVIRONMENT” by Chan etal., which claims the benefit of U.S. Provisional Application No.60/741,995, filed Dec. 2, 2005, entitled “SYSTEMS AND METHODS FORSECURING CUSTOMER DATA IN A MULTI-TENANT ENVIRONMENT,” the disclosure ofwhich is incorporated herein by reference in its entirety.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

FIELD OF THE INVENTION

The present invention relates generally to securing data in a databasenetwork system, and more particularly to securing data in a multi-tenantdatabase network system.

BACKGROUND

In modern database systems, one or more customers may share the variouselements of hardware and software of the database system. Such a sharedhardware and software approach can enable database related services tobe provided at a far lower cost than if each customer had to buyhardware and software for themselves. In such a system it is highlydesirable to assure that a customer's data remains secure and onlyvisible and updatable by appropriate users in an organization.

Data security starts with physical security, including intrusiondetection and physical access controls. At the network layer, industrystandard network firewalls typically are used to block access to allmachines within the data center except when appropriate over the HTTPprotocol. Also, the network may be scanned from outside the datacenterto assure the network firewall is blocking all unauthorized access.Nonetheless, it is useful to provide additional or alternative securitysystems and methods as a defense against possible errors or defects inapplication software, system and network software, and/or system andnetwork hardware that may cause the wrong page or data to be returned toa user.

Therefore it is desirable to provide systems and methods to assure thatany error or defect in the shared hardware and software infrastructuredoes not cause the vital customer data to be delivered to the wronguser.

BRIEF SUMMARY

The present invention provides systems and methods for enhancing systemand network security in a multi-tenant database network environment.These systems and methods employ one or more techniques such asidentifying suspect query plans, comparing user and organizationinformation included in a query with user and organization informationincluded in a response from an application server to verify that theresponse is indeed being sent to the appropriate user, and verifyingwhether a response from an application server is indeed being sent tothe appropriate user system by comparing user and organization idinformation stored at the client with similar information in theresponse. Employing one or more of these techniques can enableembodiments to secure customer data in a multi-tenant environment.

As used herein, the term multi-tenant database system refers to thosesystems in which various elements of hardware and software of thedatabase system may be shared by one or more customers. For example, agiven application server may simultaneously process requests for a greatnumber of customers, and a given database table may store rows for apotentially much greater number of customers. As used herein, the termquery plan refers to a set of steps used to access information in adatabase system.

According to an embodiment and by way of example, a query plan detectionmodule polls the database system to determine whether any query plansmay be suspect query plans, and if so raises an alert. Suspect queryplans include those query plans that should never occur in amulti-tenant database system, as well as query plans that should onlyoccur in a small number of identified circumstances, such as joins thatread multiple partitions and hash joins, for example. Because eachorganization's data may be stored in a single physical databasepartition in a multi-tenant database, any queries initiated by usersthat would access data in multiple partitions may be considered suspectquery plans. Similarly, where a large table is used to store data acrossmultiple tenants, any query plan that reads all or a majority of datarows in the table could be considered suspect. Other suspect query plansnot enumerated here for brevity are also contemplated in embodiments.Further, embodiments may perform other actions such as withoutlimitation, discarding the suspect query plan, postponing execution ofthe query plan, logging an audit message or the like, instead of or inaddition to raising an alert. Embodiments may also determine whether aparticular suspect query plan is a member of an exception class of queryplans, and if so, may permit the query plan to be executed withoutraising an alert.

According to another embodiment, a server-side firewall system includesa stack of one or more firewall servers sitting between the applicationservers and the client systems. A firewall server records user andorganization information for each client request received, and comparesthis information with user and organization information included in aresponse from an application server to verify that the response isindeed being sent to the appropriate user. According to anotherembodiment, a client-side firewall system includes logic executing onthe client system that verifies whether a response from an applicationserver is indeed being sent to the appropriate user system by comparinguser and organization id information stored at the client with similarinformation in the response. The client-side firewall is useful todetect errors in network hardware and/or software message transport.

Client and server firewall embodiments may be based on similarprinciples: track which user and organization is requesting a page andthen ensure that the page returned to the user is actually intended forthat user. In embodiments, these approaches can provide a defenseagainst errors or defects in the application software, system software,or hardware that may cause the wrong page to be returned to a user.

In an example client side firewall embodiment, a unique id of the userand organization (e.g., in the user hash cookie) is used to track whichuser is requesting a page. The server firewall tracks this using asession id (SID) assigned to each session created for an authenticateduser directly. Because the SID is potentially sensitive information thatmay be undesirable to return on every page, the application server inthis embodiment injects a user hash directly in the Hyper-text MarkupLanguage (HTML) of the page being returned and a SID in an Hyper-TextTransport Protocol (HTTP) header. The server firewall scans the SID inthe header of each page then strips the SID out before returning thepage to the client. In one aspect, however, the user hash remains in thehtml where validated by the client firewall.

The server firewall embodiments can have the advantage that the serverfirewall runs for every request, while the client firewall only runs forclients that support the logic platform (e.g., Java, JavaScript,ActiveX, etc.) that implements the firewall. The client firewallembodiments, however, can have the advantage that the client firewallcan catch errors in the networking layer between the server firewall andthe client that would not be caught by the server firewall.

Reference to the remaining portions of the specification, including thedrawings and claims, will realize other features and advantages of thepresent invention. Further features and advantages of the presentinvention, as well as the structure and operation of various embodimentsof the present invention, are described in detail below with respect tothe accompanying drawings. In the drawings, like reference numbersindicate identical or functionally similar elements.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments in accordance with the present invention will bedescribed with reference to the drawings, in which:

FIG. 1 illustrates an environment wherein a multi-tenant database systemmight be used;

FIG. 2 illustrates elements of FIG. 1 and various interconnections inmore detail;

FIG. 3 illustrates the architecture of a database query plan detectionsystem 200 according to one embodiment;

FIG. 4 illustrates the architecture of a server side firewall system 300according to one embodiment; and

FIG. 5 illustrates client firewall process according to one embodimentof the present invention.

DETAILED DESCRIPTION

Embodiments in accordance with the present invention provide systems andmethods for securing customer data in a multi-tenant database networkenvironment. In particular, these systems and methods help assure thatany error or defect that may occur in the shared software and hardwareinfrastructure of the multi-tenant database network system does notresult in the delivery of pages or data to the wrong user. In certainaspects, these systems and methods analyze query plans and detectcertain query plans that should never occur, or that should only occurin a small number of well-defined circumstances. Also, server-sidefirewall systems and methods in accordance with some embodiments ensurethat the security of data and pages sent to users is not affected byserver-side infrastructure problems. In certain aspects, client-sidefirewall systems and methods are provided for ensuring that the securityof data and pages sent to users is not affected by network layerinfrastructure problems.

Security Overview

Security at the application level may be conceptualized as comprisingthree chief facets: authentication, authorization, and auditing.Authentication mechanisms typically require each user that logs into aservice to enter their password. This password may be checked against apassword stored in a database for example to verify the user's identity.

Once verified, a session is created for that user and a session id (SID)that may include information such as a user ID, an organization ID, aclient IP address, and an expiration time is assigned to the session.Also, the SID may be encrypted to avoid a malicious hacker from changingits contents.

The SID is typically returned to the user as a Hyper-Text TransportProtocol (HTTP) cookie for clients accessing by means of a browser or asa string data field for clients accessing by Application ProgrammingInterface (API). On each subsequent request, the client returns thiscookie or data field containing the SID. When processing requests, theapplication server first reads the SID, decrypts the SID to verify thatthe SID has not been tampered with, and verifies that the SID has notexpired and that the user is still authorized to access the system fromthe specified IP address. For any requests that happen within the window(e.g., 15 minutes) before the SID is set to expire, an applicationserver may “extend the life of the session” by creating a new SID with alater expiration time.

Authorization mechanisms typically include the application enforcingappropriate access to various features and functions based on userprofiles once the application knows the identity of the user and theorganization to which the user belongs (from the SID mechanism describedabove for example). The application also enforces appropriate data rowaccess based on any data sharing rules configured for the organization.

Auditing mechanisms typically include the application logging the dateand time of user logins and what actions they perform on the systembased on the user ID and organization ID from the SID, for example. Thisinformation may be used for various auditing activities.

Next, mechanisms and methods for providing improvements to applicationsecurity at one or more of the authentication, authorization andauditing facets will be described with reference to example embodiments.

System Overview

FIG. 1 illustrates an environment wherein a multi-tenant database systemmight be used. As illustrated in FIG. 1 (and in more detail in FIG. 2)user systems 12 might interact via a network 14 with a multi-tenantdatabase system (MTS) 16. The users of those user systems 12 might beusers in differing capacities, and the capacity of a particular usersystem 12 might be entirely determined by permissions (permissionlevels) for the current user. For example, where a salesperson is usinga particular user system 12 to interact with MTS 16, that user systemhas the capacities allotted to that salesperson. However, while anadministrator is using that user system to interact with MTS 16, thatuser system has the capacities allotted to that administrator. Insystems with an hierarchical role model, users at one permission levelmay have access to applications, data, and database informationaccessible by a lower permission level user, but may not have access tocertain applications, database information, and data accessible by auser at a higher permission level. Thus, different users will havedifferent capabilities with regard to accessing and modifyingapplication and database information, depending on a user's security orpermission level.

Network 14 can be a LAN (local area network), WAN (wide area network),wireless network, point-to-point network, star network, token ringnetwork, hub network, or other appropriate configuration. As the mostcommon type of network in current use is a TCP/IP (Transfer ControlProtocol and Internet Protocol) network such as the global internetworkof networks often referred to as the “Internet” with a capital “I,” thatwill be used in many of the examples herein. However, it should beunderstood that the networks that the present invention might use arenot so limited, although TCP/IP is the currently preferred protocol.

User systems 12 might communicate with MTS 16 using TCP/IP and, at ahigher network level, use other common Internet protocols tocommunicate, such as HTTP, FTP, AFS, WAP, etc. In an example where HTTPis used, user system 12 might include an HTTP client commonly referredto as a “browser” for sending and receiving HTTP messages to and from anHTTP server at MTS 16. Such HTTP server might be implemented as the solenetwork interface between MTS 16 and network 14, but other techniquesmight be used as well or instead. In some implementations, the interfacebetween MTS 16 and network 14 includes load sharing functionality, suchas round-robin HTTP request distributors to balance loads and distributeincoming HTTP requests evenly over a plurality of servers. Preferably,each of the plurality of servers has access to the MTS's data, at leastas for the users that are accessing that server.

In one aspect, the system shown in FIG. 1 implements a web-basedcustomer relationship management (CRM) system. For example, in oneaspect, MTS 16 includes application servers configured to implement andexecute CRM software applications as well as provide related data, code,forms, Web pages and other information to and from user systems 12 andto store to, and retrieve from, a database system related data, objectsand Web page content. With a multi-tenant system, data for multipletenants may be stored in the same physical database object, however,tenant data typically is arranged so that data of one tenant is keptlogically separate from that of other tenants so that one tenant doesnot have access to another tenant's data, unless such data is expresslyshared. In certain aspects, system 16 implements applications otherthan, or in addition to, a CRM application. For example, system 16 mayprovide tenant access to multiple hosted (standard and custom)applications, including a CRM application.

One arrangement for elements of MTS 16 is shown in FIG. 1, including anetwork interface 20, storage 22 for tenant data, storage 24 for systemdata accessible to MTS 16 and possibly multiple tenants, program code 26for implementing various functions of MTS 16, and a process space 28 forexecuting MTS system processes and tenant-specific processes, such asrunning applications as part of an application hosting service.Additional processes that may execute on MTS 16 include databaseindexing processes.

Several elements in the system shown in FIG. 1 include conventional,well-known elements that need not be explained in detail here. Forexample, each user system 12 could include a desktop personal computer,workstation, laptop, PDA, cell phone, or any wireless access protocol(WAP) enabled device or any other computing device capable ofinterfacing directly or indirectly to the Internet or other networkconnection. User system 12 typically runs an HTTP client, e.g., abrowsing program, such as Microsoft's Internet Explorer browser,Netscape's Navigator browser, Opera's browser, or a WAP-enabled browserin the case of a cell phone, PDA or other wireless device, or the like,allowing a user (e.g., subscriber of the multi-tenant database system)of user system 12 to access, process and view information, pages andapplications available to it from MTS 16 over network 14. Each usersystem 12 also typically includes one or more user interface devices,such as a keyboard, a mouse, touch screen, pen or the like, forinteracting with a graphical user interface (GUI) provided by thebrowser on a display (e.g., monitor screen, LCD display, etc.) inconjunction with pages, forms, applications and other informationprovided by MTS 16 or other systems or servers. For example, the userinterface device can be used to access data and applications hosted byMTS 16, and to perform searches on stored data, and otherwise allow auser to interact with various GUI pages that may be presented to a user.

As discussed above, the present invention is suitable for use with theInternet, which refers to a specific global internetwork of networks.However, it should be understood that other networks can be used insteadof the Internet, such as an intranet, an extranet, a virtual privatenetwork (VPN), a non-TCP/IP based network, any LAN or WAN or the like.

According to one embodiment, each user system 12 and all of itscomponents are operator configurable using applications, such as abrowser, including computer code run using a central processing unitsuch as an Intel Pentium processor or the like. Similarly, MTS 16 (andadditional instances of MTS's, where more than one is present) and allof their components might be operator configurable using application(s)including computer code run using a central processing unit such as anIntel Pentium processor or the like, or multiple processor units.Computer code for operating and configuring MTS 16 to intercommunicateand to process web pages, applications and other data and media contentas described herein is preferably downloaded and stored on a hard disk,but the entire program code, or portions thereof, may also be stored inany other volatile or non-volatile memory medium or device as is wellknown, such as a ROM or RAM, or provided on any media capable of storingprogram code, such as a compact disk (CD) medium, digital versatile disk(DVD) medium, a floppy disk, and the like. Additionally, the entireprogram code, or portions thereof, may be transmitted and downloadedfrom a software source, e.g., over the Internet, or from another server,as is well known, or transmitted over any other conventional networkconnection as is well known (e.g., extranet, VPN, LAN, etc.) using anycommunication medium and protocols (e.g., TCP/IP, HTTP, HTTPS, Ethernet,etc.) as are well known. It will also be appreciated that computer codefor implementing aspects of the present invention can be implemented inany programming language that can be executed on a client system and/orserver or server system such as, for example, in C, C++, HTML, any othermarkup language, Java, JavaScript, ActiveX, any other scripting languagesuch as VBScript, and many other programming languages as are wellknown.

According to one embodiment, each MTS 16 is configured to provide webpages, forms, applications, data and media content to user (client)systems 12 to support the access by user systems 12 as tenants of MTS16. As such, MTS 16 provides security mechanisms to keep each tenant'sdata separate unless the data is shared. If more than one MTS is used,they may be located in close proximity to one another (e.g., in a serverfarm located in a single building or campus), or they may be distributedat locations remote from one another (e.g., one or more servers locatedin city A and one or more servers located in city B). As used herein,each MTS could include one or more logically and/or physically connectedservers distributed locally or across one or more geographic locations.Additionally, the term “server” is meant to include a computer system,including processing hardware and process space(s), and an associatedstorage system and database application (e.g., OODBMS or RDBMS) as iswell known in the art. It should also be understood that “server system”and “server” are often used interchangeably herein. Similarly, thedatabases described herein can be implemented as single databases, adistributed database, a collection of distributed databases, a databasewith redundant online or offline backups or other redundancies, etc.,and might include a distributed database or storage network andassociated processing intelligence.

FIG. 2 illustrates elements of MTS 16 and various interconnections inmore detail. In this example, the network interface is implemented asone or more HTTP application servers 100. Also shown is system processspace 102 including individual tenant process spaces 104, a systemdatabase 106, tenant database(s) 108 and a tenant management processspace 110. Tenant database 108 might be divided into individual tenantstorage areas 112, which can be either a physical arrangement or alogical arrangement. Within each tenant storage area 112, user storage114 might similarly be allocated for each user. For example, a copy of auser's most recently used (MRU) items might be stored to user storagearea 114. Similarly, a copy of MRU items for an entire organization thatis a tenant might be stored to tenant storage area 112.

It should also be understood that each application server 100 may becommunicably coupled to database systems, e.g., system database 106 andtenant database(s) 108, via a different network connection. For example,one server 100 ₁ might be coupled via the Internet 14, another server100 _(N-1) might be coupled via a direct network link, and anotherserver 100 _(N) might be coupled by yet a different network connection.Transfer Control Protocol and Internet Protocol (TCP/IP) are typicalprotocols for communicating between servers 100 and the database system,however, it will be apparent to one skilled in the art that othertransport protocols may be used to optimize the system depending on thenetwork interconnect used.

In certain aspects, each application server 100 is configured to handlerequests for any user associated with any organization that is a tenant.Because it is desirable to be able to add and remove application serversfrom the server pool at any time for any reason, there is preferably noserver affinity for a user and/or organization to a specific applicationserver 100. In one embodiment, therefore, an interface system (see,e.g., FIG. 4) implementing a load balancing function (e.g., an F5 Big-IPload balancer) is communicably coupled between the servers 100 and theuser systems 12 to distribute requests to the servers 100. In oneaspect, the load balancer uses a least connections algorithm to routeuser requests to the servers 100. Other examples of load balancingalgorithms, such as round robin and observed response time, also can beused. For example, in certain aspects, three consecutive requests fromthe same user could hit three different servers 100, and three requestsfrom different users could hit the same server 100. In this manner, MTS16 is multi-tenant, wherein MTS 16 handles storage of, and access to,different objects, data and applications across disparate users andorganizations.

As an example of storage, one tenant might be a company that employs asales force where each salesperson uses MTS 16 to manage their salesprocess. Thus, a user might maintain contact data, leads data, customerfollow-up data, performance data, goals and progress data, etc., allapplicable to that user's personal sales process (e.g., in tenantdatabase 108). In the preferred MTS arrangement, since all of this dataand the applications to access, view, modify, report, transmit,calculate, etc., can be maintained and accessed by a user system havingnothing more than network access, the user can manage his or her salesefforts and cycles from any of many different user systems. For example,if a salesperson is visiting a customer and the customer has Internetaccess in their lobby, the salesperson can obtain critical updates as tothat customer while waiting for the customer to arrive in the lobby.

While each user's data might be separate from other users' dataregardless of the employers of each user, some data might beorganization-wide data shared or accessible by a plurality of users orall of the users for a given organization that is a tenant. Thus, theremight be some data structures managed by MTS 16 that are allocated atthe tenant level while other data structures might be managed at theuser level. Because an MTS might support multiple tenants includingpossible competitors, the MTS should have security protocols that keepdata, applications, and application use separate. Also, because manytenants will opt for access to an MTS rather than maintain their ownsystem, redundancy, up-time, and backup are additional criticalfunctions and need to be implemented in the MTS.

In addition to user-specific data and tenant-specific data, MTS 16 mightalso maintain system level data usable by multiple tenants or otherdata. Such system level data might include industry reports, news,postings, and the like that are sharable among tenants.

In certain aspects, client systems 12 communicate with applicationservers 100 to request and update system-level and tenant-level datafrom MTS 16 that may require one or more queries to database system 106and/or database system 108. MTS 16 (e.g., an application server 100 inMTS 16) automatically generates one or more SQL statements (the SQLquery) designed to access the desired information. Database system 108may generate query plans to access the requested data from the database.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefinedcategories. A “table” is one representation of a data object, and isused herein to simplify the conceptual description of objects and customobjects according to the present invention. It should be understood that“table” and “object” may be used interchangeably herein. Each tablegenerally contains one or more data categories logically arranged ascolumns or fields in a viewable schema. Each row or record of a tablecontains an instance of data for each category defined by the fields.For example, a CRM database may include a table that describes acustomer with fields for basic contact information such as name,address, phone number, fax number, etc. Another table might describe apurchase order, including fields for information such as customer,product, sale price, date, etc. In some multi-tenant database systems,standard entity tables might be provided for use by all tenants. For CRMdatabase applications, such standard entities might include tables forAccount, Contact, Lead and Opportunity data, each containing pre-definedfields. It should be understood that “entity” may also be usedinterchangeably herein with “object” and “table”.

In some multi-tenant database systems, tenants may be allowed to createand store custom objects, or they may be allowed to customize standardentities or objects, for example by creating custom fields for standardobjects, including custom index fields. U.S. patent application Ser. No.10/817,161, filed Apr. 2, 2004, titled “Custom Entities and Fields In aMulti-Tenant Database System”, and which is hereby incorporated hereinby reference, teaches systems and methods for creating custom objects aswell as customizing standard objects in a multi-tenant database system.In certain aspects, for example, all custom entity data rows are storedin a single multi-tenant physical table, which may contain multiplelogical tables per organization. It is transparent to customers thattheir multiple “tables” are in fact stored in one large table or thattheir data may be stored in the same table as the data of othercustomers.

In a multi-tenant data base system, all customers may share the variouselements of hardware and software that run the system. For example, agiven application server may simultaneously process requests forhundreds of customers. And a given database table may store rows fromthousands of customers. In such a system it is highly desirable toassure that a customer's data remains secure and only visible andupdatable by appropriate users in an organization. Although conventionaldata security may be implemented, such as intrusion detection andphysical access controls, and industry standard network firewalls, it isnonetheless useful to provide additional or alternative security systemsand methods as a defense against possible errors or defects inapplication software, system and network software and/or system andnetwork hardware that may cause the wrong page or data to be returned toa user.

Security Features

FIG. 3 illustrates a database query plan detection system 200 accordingto one embodiment. In one aspect, the database query plan detectionsystem of FIG. 3 is implemented in the multi-tenant database system 16of FIG. 1. As shown, database query plan detection system 200 includes adatabase query plan detection module 210 communicably coupled todatabase system 220 (e.g., system database 106 and/or tenant database108 of FIG. 2). Database query plan detection module 210 implementsprocesses that query the database 220 on a periodic basis to retrieveand analyze query plans. In certain aspects, database query plandetection module 210 is implemented in a separate device as shown, suchas a separate server or computer system, although it should beappreciated that or it may be implemented in an application server 100or in a database server.

In a typical multi-tenant database schema, certain query plans shouldnever occur and others should only occur in a small number of identifiedcircumstances. These might include joins that read multiple partitionsand hash joins. For example, because each organization's data may bestored in a single physical database partition, any queries initiated byusers that would access data in multiple partitions are suspect.Similarly, where a large table is used to store data across multipletenants, any query plan that reads all or a majority of data rows in thetable would be suspect.

In one aspect, the database query plan detector module executes abackground process that runs independently of the database andfrequently polls the database for query plans the database is usinglooking for any unexpected or suspect plans. If it detects anyinappropriate or suspect query plans, in one aspect, the moduledetermines whether the suspect plan falls under an exception, e.g.,query plans executing system housekeeping tasks, and if not the modulelogs the information and raises an appropriate alert. If the plan fallsunder an exception it may be allowed to proceed. Running this query plandetector module both on the production service and during developmentand testing is useful to detect any code or infrastructure problems thatmay result in the wrong data being accessed by the wrong customer.

Examples of additional query plans that would be suspect include anyplan that involves a full table scan, a merge join Cartesian or a“Partition Hash All” query, or similar operations. In a “Partition HashAll” query execution step, or something similar, the database may readthe entire partition into memory and organize it for comprehensiveaccess. This means that the query would be scanning across physicalpartitions. A query plan executing any full table scan may be indicativeof a query that does not include an organization filter. For one typicalmulti-tenant database schema, a given organizations rows are typically alow percentage of the database table. If the database is performing afull table scan “not using an index” this indicates a query is likelymissing an organization ID filter. A merge join cartesian is a specificplan that indicates the database (e.g., a database provided by Oracle,Inc. of Redwood Shores, Calif.) is trying to optimize a query by readingall data from two tables into memory for a query that will access a highpercentage of the rows in that table. All of these plans may be valid insome small number of cases, and thus would be present on the“exceptions” list in one aspect.

FIG. 4 illustrates a server-side firewall system 300 according to oneembodiment. In one aspect, the firewall system of FIG. 4 is implementedwith the multi-tenant database system 16 of FIG. 1. As shown, firewallsystem 300 includes one or a plurality of firewall servers 310communicably coupled to application server(s) 100. Where a loadbalancing system 305, including one or more load balancing servers, ispresent, the firewall servers 310 sit between the load balancing system305 and the application servers 100. However, it should be appreciatedthat the functionality of a firewall server 310 can be implemented inload balancer system 305 or in an application server 100. However, it ispreferred that the firewall server functionality be separate from theapplication servers and that the firewall servers operate on a differenthardware and software platform than the application servers. This makesit much less likely that any infrastructure issues affecting one system(e.g., application server system or firewall server system) will affectthe other. Similarly, it is desirable that the load balancing system 305operate on a different hardware and software platform than firewallservers 310.

In one aspect, as shown in FIG. 4, firewall system 300 includes aseparate stack of one or more servers 310 from the application servers100 that render the UI and perform business logic. The purpose of thesefirewall servers 310 is to relay requests between the load balancersystem 305 and application servers 100. (or between network 14 andapplication servers 100 where no load balancing functionality ispresent. For each request they relay, each firewall server 310 performsthe following steps:

1) record the SID (or client hash) in the request received from theclient 12; and

2) forward the request to an application server 100.

In certain aspects, there may be a one-to-one, one-to-many, ormany-to-many correspondence between a load balancer and a firewallserver. That is, a load balance server may be configured to address oneor more specific firewall servers or it may address any firewall server.Similarly, there may be a one-to-one, one-to-many, or many-to-manycorrespondence between a firewall server and an application server.

When the application server 100 responds to the received client request,it typically adds a response header containing the SID (or a client hashwith user ID and organization ID information) for the response. Thefirewall server 310 receives the response message, extracts the SID (orclient hash), and compares the information in the SID (or client hash)in the response to the information in the SID that was originally issuedby the client. If they are different, the firewall server knows thatthere was some kind of error and responds to the client with an errorcode instead of the wrong page. It records this error and raises anappropriate alert, e.g., by sending a notification to a systemadministrator. If the information matches, the firewall server 310 maystrip the SID from the body of the page and/or from the HTTP header andforward the response to the requesting client.

FIG. 5 illustrates an exemplary client firewall process according to oneembodiment. In typical operation, a client system initiates a session bysending a login request to MTS 16, which is received by an applicationserver 100. In response, the application sends a login response back tothe requesting client system 12. In one aspect, the response includes alogin page; the page “frontdoor.jsp” is always the first page a userhits when logging in. This page runs (on the client) a simple loginscript to verify that the client supports the validation logic. This isimportant because the client firewall relies on client-side validationlogic processing. In one aspect, the validation logic is implemented inJavaScript, and the login script verifies that the client supportsJavaScript. If the client does not support JavaScript (or whateverclient logic platform the firewall is implemented in), the applicationwill still work but without the firewall.

In one aspect, the “frontdoor.jsp” page sets a SID cookie when the userlogs in. Any other page in the service may set the SID cookie if it isfirst page requested within the window (e.g., 15 minute) before a SIDexpires. Whenever the SID cookie is set, another cookie is also setcalled the “user hash”. This cookie contains an alphanumeric string thatuniquely identifies a given user and organization.

The SID and user hash cookies must be set using client logic (such asJavaScript) instead of HTTP cookie header. This allows the clientfirewall logic to validate that the page is truly intended for theclient before a SID or user hash cookie is set. If the cookies are setusing standard HTTP headers, the browser would set the SID and user hashcookies before the client firewall code runs, rendering the checkuseless.

Returning to FIG. 5, after the user has logged into the system, arequest or query may be sent to the system. The application server 100receives and processes the request, and sends a response message back tothe requesting client. In one aspect, for each page sent back to aclient, the application server 100 includes a hash of user id andorganization id for the user and organization for which the page wasgenerated. It also includes client based logic (e.g., JavaScript) intoevery page. When received by the client, the client logic executes andvalidates that the user id and organization id for which the page wasgenerated is the same as the user id and organization that made theoriginal request. In one aspect, this logic compares the user id andorganization id stored on the client (e.g., in the SID and/or user hashcookie) with the ids returned with the page. An example of JavaScriptsource code for this client side logic is as follows:

<script language=“JavaScript1.2” src=“/js/session.js”> </script><script>  var hvch = needsClientHash(‘sid_Client’,‘0000000cBXH00000000062’, ‘65.118.120.94’, ‘/servlet/servlet.ClientHashValidator?ResponseRequestedURL=%2F0033000000DCGGg’ ); </script>

Examples of JavaScript source code for the function “needsClientHash’and other relevant JavaScript functions is provided below:

function putClientHash(name, value, domain, path) {  document.cookie =name + ‘=’ + value +    ((domain) ? ‘; domain=’ + domain : ″) +  ((path) ? ‘; path=’ + path : ‘ ; path=/’); } functiongetClientHash(name) {  var dc = document.cookie;  var prefix = name +‘=’;  var begin = dc.indexOf(‘; ’ + prefix);  if (begin == −1) {   begin= dc.indexOf(prefix);   if (begin != 0) return null;  } else {   begin+= 2;  }  var end = document.cookie.indexOf(‘;’, begin);  if (end == −1){   end = dc.length;   }   return unescape(dc.substring(begin +prefix.length, end)); } function needsClientHash(hashName, hashValue,clientSrc, nextPage) {   var clientHash = getClientHash(hashName);   varneedsClientHash = clientHash == hashValue;   if (!needsClientHash) {   var currLoc = unescape(window.location.href);    var index =currLoc.indexOf(hashValue, 0);    needsClientHash = index > −1; }  if(!needsClientHash) {   window.location.href = nextPage + ‘&winLoc=’ +window.location + ‘&c=’ + clientHash + ‘&s=’ + hashValue + ‘&cs=’ +clientSrc;  }  return needsClientHash; }

Similar to the server firewall embodiment, if the client firewalldetects a page being delivered to the wrong user or organization, thefirewall immediately logs the user out of the application and raises anappropriate alert.

It should be understood that the client firewall validation logic couldbe implemented using other client programming logic. For example, itcould use Java or ActiveX plug ins, etc. If implemented as an ActiveXplug-in, for example, each page sent to a client could include a call tothe ActiveX plug-in so as to execute the validation logic.

While the invention has been described by way of example and in terms ofthe specific embodiments, it is to be understood that the invention isnot limited to the disclosed embodiments. To the contrary, it isintended to cover various modifications and similar arrangements aswould be apparent to those skilled in the art. Therefore, the scope ofthe appended claims should be accorded the broadest interpretation so asto encompass all such modifications and similar arrangements.

What is claimed is:
 1. A multi-tenant database system, comprising: adatabase system to store data for multiple tenants; an applicationserver communicably coupled to the database system and to a network, theapplication server providing network access to the database system forat least one client system; and at least one firewall servercommunicably coupled between the application server and the at least oneclient system, the at least one firewall server operable to: receive aclient request; extract user and organization information from theclient request; forward the client request to the application server;and compare user and organization information included in a responsemessage received from the application server with the user andorganization information extracted from the client request.
 2. Themulti-tenant database system of claim 1, wherein the user andorganization information is included in at least one of a session id(SID) cookie and a string data field, and wherein the client request andthe response message each include at least one of the session id (SID)cookie and the string data field.
 3. The multi-tenant database system ofclaim 1, wherein the firewall server strips a portion of the user andorganization information from the body of a page included as part of theresponse message and forward the response message to the client system.4. The multi-tenant database system of claim 1, wherein the firewallserver raises an alert when the user and organization information in theresponse does not match the extracted user and organization information.5. The multi-tenant database system of claim 1, wherein the firewallserver generates and sends an error code in response to the clientrequest when the user and organization information in the response doesnot match the extracted user and organization information.
 6. Themulti-tenant database system of claim 1, wherein the firewall serverlogs the client system out of the application server in response to theclient request when the user and organization information in theresponse does not match the extracted user and organization information.7. The multi-tenant database system of claim 1, wherein the firewallserver records error information when the user and organizationinformation in the response does not match the extracted user andorganization information.
 8. The multi-tenant database system of claim1, wherein the firewall server uses a unique id of the user andorganization information to track an identity of a user requesting apage.
 9. The multi-tenant database system of claim 1, wherein thefirewall server extracts the user and organization information includedin the response message.
 10. The multi-tenant database system of claim1, wherein the firewall server extracts the user and organizationinformation from an HTML header of the response message.
 11. A method ofproviding a client-side firewall in a multi-tenant database system tostore data for multiple tenants, the method comprising: at the databasesystem, responsive to a login request received from a first clientsystem, responding to the first client system with a login responsemessage that includes user and organization information and firstvalidation logic, wherein the database system includes an applicationserver communicably coupling the database system to a network, andwherein the application server provides network access to the databasesystem for at least one client system; at the first client system,executing the first validation logic to set the user and organizationinformation; at the database system, responsive to a subsequent requestreceived from the first client system, responding to the first clientsystem with a response message that includes user and organizationinformation and second validation logic; and at the first client system,executing the second validation logic to validate that the user andorganization information received in the response message matches theuser and organization information that was set at the first clientsystem.
 12. The method of claim 11, wherein the user and organizationinformation is included in at least one of a session id (SID) cookie anda string data field, and wherein the login response and the responsemessage each include at least one of the session id (SID) cookie and thestring data field.
 13. The method of claim 11, wherein if the user andorganization information received in the response message does not matchthe user and organization information that was set at the first clientsystem, the user is automatically logged out of the application server.14. The method of claim 11, wherein if the user and organizationinformation received in the response message does not match the user andorganization information that was set at the first client system, thefirst client system sends an alert to a system administrator.
 15. Amethod of providing a client-side firewall for a multi-tenant databasesystem storing data for multiple tenants, wherein the database systemincludes an application server communicably coupling the database systemto a network, and wherein the application server provides network accessto the database system for at least one client system, the methodcomprising: at a first client system, sending a first login request tothe database system; receiving, from the database system, a first loginresponse message that includes user and organization information andfirst validation logic; at the first client system, executing the firstvalidation logic to set the user and organization information; sending asecond login request to the database system; receiving, from thedatabase system, a second login response message that includes user andorganization information and second validation logic; and at the firstclient system, executing the second validation logic to validate thatthe user and organization information received in the second loginresponse message matches the user and organization information that wasset by executing the first validation logic.